An application store is a type of digital distribution platform that enables users to download application software (also referred to as “apps”) for installation and execution upon their computing devices. The application store has become the de facto model for distributing application software to today's mobile computing devices, such as smart phones and tablet computers. This model is also increasingly being used to distribute software applications to non-mobile computing devices and platforms, such as desktop computers, televisions, set-top boxes, and gaming consoles.
A conventional application store may enable a user to browse through different categories of applications, view descriptive information and product reviews concerning applications, and purchase or otherwise obtain applications. Typically, when a user purchases or otherwise obtains an application from an application store, that application is automatically downloaded to and installed on the user's computing device. On many computing devices and platforms, access to an application store is provided via a built-in component of the operating system.
Within the application store ecosystem, there is always the threat that certain users will tamper with applications after such applications have been downloaded to and installed on their computing devices. A user may tamper with an application for various to avoid purchasing the application, to change the behavior of the application, or to gain a competitive advantage over other users who have installed and use the application, among other reasons.
By way of example, two versions of the same application may be distributed by an application store: a “free” version that can be obtained by users at no cost and that displays advertisements to generate revenue for the application's developer and a “premium” version that can be purchased by users for a price and that does not display advertisements. To ensure that advertisements are displayed, the free version of the application may have a configuration value associated therewith, denoted “Show Ads,” that is set to “True.” The premium version of the application may have the same configuration value associated therewith, but in the case of the premium version, “Show Ads” is set to “False” so that advertisements will not be displayed. A developer may store the configuration value in a file that is packaged and distributed with the application itself. For example, the developer may store the configuration value in an XML file called “settings.xml” which stores all of the configuration settings for the application and is packaged and distributed therewith.
In further accordance with this example, when the application is installed and then executed upon a user's computing device, the application will read the “Show Ads” configuration value from the “settings.xml” file and, based upon the value present in the file, will either display advertisements (because it is the “free” version) or not display advertisements (because it is the “premium” version).
If the “settings.xml” file is not properly protected, a user that has installed the “free” version of the application could discover the file and edit it such that the value for “Show Ads” could be changed from “True” to “False.” This is harmful to the developer because now the “free” version of the application will not display the advertisements that both generate revenue for the developer and incent the user to purchase the “premium” version of the application if he or she is not interested in seeing the advertisements.
The primary form of protection applied to applications today is based on some form of obfuscation or encryption of the content of the application. For example, application content may be encrypted when the application is first installed on a user's computing device and then decrypted as needed when the application is later executed. However, once the encryption has been defeated (e.g., the encryption key is obtained) there are typically no further checks to prevent users from modifying their applications at will.
A similar issue exists with content that is generated by an application after it has been installed on a users' computing device. For example, some applications generate electronic receipts that are stored on a user's computing device when the user makes an in-application purchase. If the receipts are not properly protected, a user could discover a receipt and edit it in a manner that will cause the application to behave as if the user has purchased items that the user has not actually purchased.